search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4: do not change the critical flag when it's on a dirsync control
[Samba/gbeck.git] / source4 / dsdb / samdb / ldb_modules / rootdse.c
blobc584a11b2c6e9f389003feaec9f2014e3216ad64
1 /*
2 Unix SMB/CIFS implementation.
3
4 rootDSE ldb module
5
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Simo Sorce 2005-2008
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include <ldb.h>
25 #include <ldb_module.h>
26 #include "system/time.h"
27 #include "dsdb/samdb/samdb.h"
28 #include "version.h"
29 #include "dsdb/samdb/ldb_modules/util.h"
30 #include "libcli/security/security.h"
31 #include "librpc/ndr/libndr.h"
32 #include "auth/auth.h"
33 #include "param/param.h"
34 #include "lib/messaging/irpc.h"
35 #include "librpc/gen_ndr/ndr_irpc_c.h"
36
37 struct private_data {
38 unsigned int num_controls;
39 char **controls;
40 unsigned int num_partitions;
41 struct ldb_dn **partitions;
42 bool block_anonymous;
43 };
44
45 /*
46 return 1 if a specific attribute has been requested
47 */
48 static int do_attribute(const char * const *attrs, const char *name)
49 {
50 return attrs == NULL ||
51 ldb_attr_in_list(attrs, name) ||
52 ldb_attr_in_list(attrs, "*");
53 }
54
55 static int do_attribute_explicit(const char * const *attrs, const char *name)
56 {
57 return attrs != NULL && ldb_attr_in_list(attrs, name);
58 }
59
60
61 /*
62 expand a DN attribute to include extended DN information if requested
63 */
64 static int expand_dn_in_message(struct ldb_module *module, struct ldb_message *msg,
65 const char *attrname, struct ldb_control *edn_control,
66 struct ldb_request *req)
67 {
68 struct ldb_dn *dn, *dn2;
69 struct ldb_val *v;
70 int ret;
71 struct ldb_request *req2;
72 char *dn_string;
73 const char *no_attrs[] = { NULL };
74 struct ldb_result *res;
75 struct ldb_extended_dn_control *edn;
76 TALLOC_CTX *tmp_ctx = talloc_new(req);
77 struct ldb_context *ldb;
78 int edn_type = 0;
79
80 ldb = ldb_module_get_ctx(module);
81
82 edn = talloc_get_type(edn_control->data, struct ldb_extended_dn_control);
83 if (edn) {
84 edn_type = edn->type;
85 }
86
87 v = discard_const_p(struct ldb_val, ldb_msg_find_ldb_val(msg, attrname));
88 if (v == NULL) {
89 talloc_free(tmp_ctx);
90 return LDB_SUCCESS;
91 }
92
93 dn_string = talloc_strndup(tmp_ctx, (const char *)v->data, v->length);
94 if (dn_string == NULL) {
95 talloc_free(tmp_ctx);
96 return ldb_operr(ldb);
97 }
98
99 res = talloc_zero(tmp_ctx, struct ldb_result);
100 if (res == NULL) {
101 talloc_free(tmp_ctx);
102 return ldb_operr(ldb);
103 }
104
105 dn = ldb_dn_new(tmp_ctx, ldb, dn_string);
106 if (dn == NULL) {
107 talloc_free(tmp_ctx);
108 return ldb_operr(ldb);
109 }
110
111 ret = ldb_build_search_req(&req2, ldb, tmp_ctx,
112 dn,
113 LDB_SCOPE_BASE,
114 NULL,
115 no_attrs,
116 NULL,
117 res, ldb_search_default_callback,
118 req);
119 LDB_REQ_SET_LOCATION(req2);
120 if (ret != LDB_SUCCESS) {
121 talloc_free(tmp_ctx);
122 return ret;
123 }
124
125
126 ret = ldb_request_add_control(req2,
127 LDB_CONTROL_EXTENDED_DN_OID,
128 edn_control->critical, edn);
129 if (ret != LDB_SUCCESS) {
130 talloc_free(tmp_ctx);
131 return ret;
132 }
133
134 ret = ldb_next_request(module, req2);
135 if (ret == LDB_SUCCESS) {
136 ret = ldb_wait(req2->handle, LDB_WAIT_ALL);
137 }
138 if (ret != LDB_SUCCESS) {
139 talloc_free(tmp_ctx);
140 return ret;
141 }
142
143 if (!res || res->count != 1) {
144 talloc_free(tmp_ctx);
145 return ldb_operr(ldb);
146 }
147
148 dn2 = res->msgs[0]->dn;
149
150 v->data = (uint8_t *)ldb_dn_get_extended_linearized(msg->elements, dn2, edn_type);
151 if (v->data == NULL) {
152 talloc_free(tmp_ctx);
153 return ldb_operr(ldb);
154 }
155 v->length = strlen((char *)v->data);
156
157
158 talloc_free(tmp_ctx);
159
160 return LDB_SUCCESS;
161 }
162
163
164 /*
165 add dynamically generated attributes to rootDSE result
166 */
167 static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *msg,
168 const char * const *attrs, struct ldb_request *req)
169 {
170 struct ldb_context *ldb;
171 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
172 char **server_sasl;
173 const struct dsdb_schema *schema;
174 int *val;
175 struct ldb_control *edn_control;
176 const char *dn_attrs[] = {
177 "configurationNamingContext",
178 "defaultNamingContext",
179 "dsServiceName",
180 "rootDomainNamingContext",
181 "schemaNamingContext",
182 "serverName",
183 NULL
184 };
185
186 ldb = ldb_module_get_ctx(module);
187 schema = dsdb_get_schema(ldb, NULL);
188
189 msg->dn = ldb_dn_new(msg, ldb, NULL);
190
191 /* don't return the distinguishedName, cn and name attributes */
192 ldb_msg_remove_attr(msg, "distinguishedName");
193 ldb_msg_remove_attr(msg, "cn");
194 ldb_msg_remove_attr(msg, "name");
195
196 if (do_attribute(attrs, "serverName")) {
197 if (ldb_msg_add_linearized_dn(msg, "serverName",
198 samdb_server_dn(ldb, msg)) != LDB_SUCCESS) {
199 goto failed;
200 }
201 }
202
203 if (do_attribute(attrs, "dnsHostName")) {
204 struct ldb_result *res;
205 int ret;
206 const char *dns_attrs[] = { "dNSHostName", NULL };
207 ret = dsdb_module_search_dn(module, msg, &res, samdb_server_dn(ldb, msg),
208 dns_attrs, DSDB_FLAG_NEXT_MODULE, req);
209 if (ret == LDB_SUCCESS) {
210 const char *hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
211 if (hostname != NULL) {
212 if (ldb_msg_add_string(msg, "dNSHostName", hostname)) {
213 goto failed;
214 }
215 }
216 }
217 }
218
219 if (do_attribute(attrs, "ldapServiceName")) {
220 struct loadparm_context *lp_ctx
221 = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
222 struct loadparm_context);
223 char *ldap_service_name, *hostname;
224
225 hostname = strlower_talloc(msg, lpcfg_netbios_name(lp_ctx));
226 if (hostname == NULL) {
227 goto failed;
228 }
229
230 ldap_service_name = talloc_asprintf(msg, "%s:%s$@%s",
231 samdb_forest_name(ldb, msg),
232 hostname, lpcfg_realm(lp_ctx));
233 if (ldap_service_name == NULL) {
234 goto failed;
235 }
236
237 if (ldb_msg_add_string(msg, "ldapServiceName",
238 ldap_service_name) != LDB_SUCCESS) {
239 goto failed;
240 }
241 }
242
243 if (do_attribute(attrs, "currentTime")) {
244 if (ldb_msg_add_steal_string(msg, "currentTime",
245 ldb_timestring(msg, time(NULL))) != LDB_SUCCESS) {
246 goto failed;
247 }
248 }
249
250 if (priv && do_attribute(attrs, "supportedControl")) {
251 unsigned int i;
252 for (i = 0; i < priv->num_controls; i++) {
253 char *control = talloc_strdup(msg, priv->controls[i]);
254 if (!control) {
255 goto failed;
256 }
257 if (ldb_msg_add_steal_string(msg, "supportedControl",
258 control) != LDB_SUCCESS) {
259 goto failed;
260 }
261 }
262 }
263
264 if (priv && do_attribute(attrs, "namingContexts")) {
265 unsigned int i;
266 for (i = 0; i < priv->num_partitions; i++) {
267 struct ldb_dn *dn = priv->partitions[i];
268 if (ldb_msg_add_steal_string(msg, "namingContexts",
269 ldb_dn_alloc_linearized(msg, dn)) != LDB_SUCCESS) {
270 goto failed;
271 }
272 }
273 }
274
275 server_sasl = talloc_get_type(ldb_get_opaque(ldb, "supportedSASLMechanisms"),
276 char *);
277 if (server_sasl && do_attribute(attrs, "supportedSASLMechanisms")) {
278 unsigned int i;
279 for (i = 0; server_sasl && server_sasl[i]; i++) {
280 char *sasl_name = talloc_strdup(msg, server_sasl[i]);
281 if (!sasl_name) {
282 goto failed;
283 }
284 if (ldb_msg_add_steal_string(msg, "supportedSASLMechanisms",
285 sasl_name) != LDB_SUCCESS) {
286 goto failed;
287 }
288 }
289 }
290
291 if (do_attribute(attrs, "highestCommittedUSN")) {
292 uint64_t seq_num;
293 int ret = ldb_sequence_number(ldb, LDB_SEQ_HIGHEST_SEQ, &seq_num);
294 if (ret == LDB_SUCCESS) {
295 if (samdb_msg_add_uint64(ldb, msg, msg,
296 "highestCommittedUSN",
297 seq_num) != LDB_SUCCESS) {
298 goto failed;
299 }
300 }
301 }
302
303 if (schema && do_attribute_explicit(attrs, "dsSchemaAttrCount")) {
304 struct dsdb_attribute *cur;
305 unsigned int n = 0;
306
307 for (cur = schema->attributes; cur; cur = cur->next) {
308 n++;
309 }
310
311 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaAttrCount",
312 n) != LDB_SUCCESS) {
313 goto failed;
314 }
315 }
316
317 if (schema && do_attribute_explicit(attrs, "dsSchemaClassCount")) {
318 struct dsdb_class *cur;
319 unsigned int n = 0;
320
321 for (cur = schema->classes; cur; cur = cur->next) {
322 n++;
323 }
324
325 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaClassCount",
326 n) != LDB_SUCCESS) {
327 goto failed;
328 }
329 }
330
331 if (schema && do_attribute_explicit(attrs, "dsSchemaPrefixCount")) {
332 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaPrefixCount",
333 schema->prefixmap->length) != LDB_SUCCESS) {
334 goto failed;
335 }
336 }
337
338 if (do_attribute_explicit(attrs, "validFSMOs")) {
339 const struct dsdb_naming_fsmo *naming_fsmo;
340 const struct dsdb_pdc_fsmo *pdc_fsmo;
341 const char *dn_str;
342
343 if (schema && schema->fsmo.we_are_master) {
344 dn_str = ldb_dn_get_linearized(ldb_get_schema_basedn(ldb));
345 if (dn_str && dn_str[0]) {
346 if (ldb_msg_add_fmt(msg, "validFSMOs", "%s", dn_str) != LDB_SUCCESS) {
347 goto failed;
348 }
349 }
350 }
351
352 naming_fsmo = talloc_get_type(ldb_get_opaque(ldb, "dsdb_naming_fsmo"),
353 struct dsdb_naming_fsmo);
354 if (naming_fsmo && naming_fsmo->we_are_master) {
355 dn_str = ldb_dn_get_linearized(samdb_partitions_dn(ldb, msg));
356 if (dn_str && dn_str[0]) {
357 if (ldb_msg_add_fmt(msg, "validFSMOs", "%s", dn_str) != LDB_SUCCESS) {
358 goto failed;
359 }
360 }
361 }
362
363 pdc_fsmo = talloc_get_type(ldb_get_opaque(ldb, "dsdb_pdc_fsmo"),
364 struct dsdb_pdc_fsmo);
365 if (pdc_fsmo && pdc_fsmo->we_are_master) {
366 dn_str = ldb_dn_get_linearized(ldb_get_default_basedn(ldb));
367 if (dn_str && dn_str[0]) {
368 if (ldb_msg_add_fmt(msg, "validFSMOs", "%s", dn_str) != LDB_SUCCESS) {
369 goto failed;
370 }
371 }
372 }
373 }
374
375 if (do_attribute_explicit(attrs, "vendorVersion")) {
376 if (ldb_msg_add_fmt(msg, "vendorVersion",
377 "%s", SAMBA_VERSION_STRING) != LDB_SUCCESS) {
378 goto failed;
379 }
380 }
381
382 if (do_attribute(attrs, "domainFunctionality")) {
383 if (samdb_msg_add_int(ldb, msg, msg, "domainFunctionality",
384 dsdb_functional_level(ldb)) != LDB_SUCCESS) {
385 goto failed;
386 }
387 }
388
389 if (do_attribute(attrs, "forestFunctionality")) {
390 if (samdb_msg_add_int(ldb, msg, msg, "forestFunctionality",
391 dsdb_forest_functional_level(ldb)) != LDB_SUCCESS) {
392 goto failed;
393 }
394 }
395
396 if (do_attribute(attrs, "domainControllerFunctionality")
397 && (val = talloc_get_type(ldb_get_opaque(ldb, "domainControllerFunctionality"), int))) {
398 if (samdb_msg_add_int(ldb, msg, msg,
399 "domainControllerFunctionality",
400 *val) != LDB_SUCCESS) {
401 goto failed;
402 }
403 }
404
405 if (do_attribute(attrs, "isGlobalCatalogReady")) {
406 /* MS-ADTS 3.1.1.3.2.10
407 Note, we should only return true here is we have
408 completed at least one synchronisation. As both
409 provision and vampire do a full sync, this means we
410 can return true is the gc bit is set in the NTDSDSA
411 options */
412 if (ldb_msg_add_fmt(msg, "isGlobalCatalogReady",
413 "%s", samdb_is_gc(ldb)?"TRUE":"FALSE") != LDB_SUCCESS) {
414 goto failed;
415 }
416 }
417
418 if (do_attribute_explicit(attrs, "tokenGroups")) {
419 unsigned int i;
420 /* Obtain the user's session_info */
421 struct auth_session_info *session_info
422 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
423 if (session_info && session_info->security_token) {
424 /* The list of groups this user is in */
425 for (i = 0; i < session_info->security_token->num_sids; i++) {
426 if (samdb_msg_add_dom_sid(ldb, msg, msg,
427 "tokenGroups",
428 &session_info->security_token->sids[i]) != LDB_SUCCESS) {
429 goto failed;
430 }
431 }
432 }
433 }
434
435 /* TODO: lots more dynamic attributes should be added here */
436
437 edn_control = ldb_request_get_control(req, LDB_CONTROL_EXTENDED_DN_OID);
438
439 /* if the client sent us the EXTENDED_DN control then we need
440 to expand the DNs to have GUID and SID. W2K8 join relies on
441 this */
442 if (edn_control) {
443 unsigned int i;
444 int ret;
445 for (i=0; dn_attrs[i]; i++) {
446 if (!do_attribute(attrs, dn_attrs[i])) continue;
447 ret = expand_dn_in_message(module, msg, dn_attrs[i],
448 edn_control, req);
449 if (ret != LDB_SUCCESS) {
450 DEBUG(0,(__location__ ": Failed to expand DN in rootDSE for %s\n",
451 dn_attrs[i]));
452 goto failed;
453 }
454 }
455 }
456
457 return LDB_SUCCESS;
458
459 failed:
460 return ldb_operr(ldb);
461 }
462
463 /*
464 handle search requests
465 */
466
467 struct rootdse_context {
468 struct ldb_module *module;
469 struct ldb_request *req;
470 };
471
472 static struct rootdse_context *rootdse_init_context(struct ldb_module *module,
473 struct ldb_request *req)
474 {
475 struct ldb_context *ldb;
476 struct rootdse_context *ac;
477
478 ldb = ldb_module_get_ctx(module);
479
480 ac = talloc_zero(req, struct rootdse_context);
481 if (ac == NULL) {
482 ldb_set_errstring(ldb, "Out of Memory");
483 return NULL;
484 }
485
486 ac->module = module;
487 ac->req = req;
488
489 return ac;
490 }
491
492 static int rootdse_callback(struct ldb_request *req, struct ldb_reply *ares)
493 {
494 struct rootdse_context *ac;
495 int ret;
496
497 ac = talloc_get_type(req->context, struct rootdse_context);
498
499 if (!ares) {
500 return ldb_module_done(ac->req, NULL, NULL,
501 LDB_ERR_OPERATIONS_ERROR);
502 }
503 if (ares->error != LDB_SUCCESS) {
504 return ldb_module_done(ac->req, ares->controls,
505 ares->response, ares->error);
506 }
507
508 switch (ares->type) {
509 case LDB_REPLY_ENTRY:
510 /*
511 * if the client explicit asks for the 'netlogon' attribute
512 * the reply_entry needs to be skipped
513 */
514 if (ac->req->op.search.attrs &&
515 ldb_attr_in_list(ac->req->op.search.attrs, "netlogon")) {
516 talloc_free(ares);
517 return LDB_SUCCESS;
518 }
519
520 /* for each record returned post-process to add any dynamic
521 attributes that have been asked for */
522 ret = rootdse_add_dynamic(ac->module, ares->message,
523 ac->req->op.search.attrs, ac->req);
524 if (ret != LDB_SUCCESS) {
525 talloc_free(ares);
526 return ldb_module_done(ac->req, NULL, NULL, ret);
527 }
528
529 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
530
531 case LDB_REPLY_REFERRAL:
532 /* should we allow the backend to return referrals in this case
533 * ?? */
534 break;
535
536 case LDB_REPLY_DONE:
537 return ldb_module_done(ac->req, ares->controls,
538 ares->response, ares->error);
539 }
540
541 talloc_free(ares);
542 return LDB_SUCCESS;
543 }
544
545 /*
546 filter from controls from clients in several ways
547
548 1) mark our registered controls as non-critical in the request
549
550 This is needed as clients may mark controls as critical even if
551 they are not needed at all in a request. For example, the centrify
552 client sets the SD_FLAGS control as critical on ldap modify
553 requests which are setting the dNSHostName attribute on the
554 machine account. That request doesn't need SD_FLAGS at all, but
555 centrify adds it on all ldap requests.
556
557 2) if this request is untrusted then remove any non-registered
558 controls that are non-critical
559
560 This is used on ldap:// connections to prevent remote users from
561 setting an internal control that may be dangerous
562
563 3) if this request is untrusted then fail any request that includes
564 a critical non-registered control
565 */
566 static int rootdse_filter_controls(struct ldb_module *module, struct ldb_request *req)
567 {
568 unsigned int i, j;
569 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
570 bool is_untrusted;
571
572 if (!req->controls) {
573 return LDB_SUCCESS;
574 }
575
576 is_untrusted = ldb_req_is_untrusted(req);
577
578 for (i=0; req->controls[i]; i++) {
579 bool is_registered = false;
580 bool is_critical = (req->controls[i]->critical != 0);
581
582 if (req->controls[i]->oid == NULL) {
583 continue;
584 }
585
586 if (is_untrusted || is_critical) {
587 for (j=0; j<priv->num_controls; j++) {
588 if (strcasecmp(priv->controls[j], req->controls[i]->oid) == 0) {
589 is_registered = true;
590 break;
591 }
592 }
593 }
594
595 if (is_untrusted && !is_registered) {
596 if (!is_critical) {
597 /* remove it by marking the oid NULL */
598 req->controls[i]->oid = NULL;
599 req->controls[i]->data = NULL;
600 req->controls[i]->critical = 0;
601 continue;
602 }
603 /* its a critical unregistered control - give
604 an error */
605 ldb_asprintf_errstring(ldb_module_get_ctx(module),
606 "Attempt to use critical non-registered control '%s'",
607 req->controls[i]->oid);
608 return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION;
609 }
610
611 if (!is_critical) {
612 continue;
613 }
614
615 /* If the control is DIRSYNC control then we keep the critical
616 * flag as the dirsync module will need to act upon it
617 */
618 if (is_registered && strcmp(req->controls[i]->oid,
619 LDB_CONTROL_DIRSYNC_OID)!= 0) {
620 req->controls[i]->critical = 0;
621 }
622 }
623
624 return LDB_SUCCESS;
625 }
626
627 /* Ensure that anonymous users are not allowed to make anything other than rootDSE search operations */
628
629 static int rootdse_filter_operations(struct ldb_module *module, struct ldb_request *req)
630 {
631 struct auth_session_info *session_info;
632 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
633 bool is_untrusted = ldb_req_is_untrusted(req);
634 bool is_anonymous = true;
635 if (is_untrusted == false) {
636 return LDB_SUCCESS;
637 }
638
639 session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
640 if (session_info) {
641 is_anonymous = security_token_is_anonymous(session_info->security_token);
642 }
643
644 if (is_anonymous == false || (priv && priv->block_anonymous == false)) {
645 return LDB_SUCCESS;
646 }
647
648 if (req->operation == LDB_SEARCH) {
649 if (req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base)) {
650 return LDB_SUCCESS;
651 }
652 }
653 ldb_set_errstring(ldb_module_get_ctx(module), "Operation unavailable without authentication");
654 return LDB_ERR_OPERATIONS_ERROR;
655 }
656
657 static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
658 {
659 struct ldb_context *ldb;
660 struct rootdse_context *ac;
661 struct ldb_request *down_req;
662 int ret;
663
664 ret = rootdse_filter_operations(module, req);
665 if (ret != LDB_SUCCESS) {
666 return ret;
667 }
668
669 ret = rootdse_filter_controls(module, req);
670 if (ret != LDB_SUCCESS) {
671 return ret;
672 }
673
674 ldb = ldb_module_get_ctx(module);
675
676 /* see if its for the rootDSE - only a base search on the "" DN qualifies */
677 if (!(req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base))) {
678 /* Otherwise, pass down to the rest of the stack */
679 return ldb_next_request(module, req);
680 }
681
682 ac = rootdse_init_context(module, req);
683 if (ac == NULL) {
684 return ldb_operr(ldb);
685 }
686
687 /* in our db we store the rootDSE with a DN of @ROOTDSE */
688 ret = ldb_build_search_req(&down_req, ldb, ac,
689 ldb_dn_new(ac, ldb, "@ROOTDSE"),
690 LDB_SCOPE_BASE,
691 NULL,
692 req->op.search.attrs,
693 NULL,/* for now skip the controls from the client */
694 ac, rootdse_callback,
695 req);
696 LDB_REQ_SET_LOCATION(down_req);
697 if (ret != LDB_SUCCESS) {
698 return ret;
699 }
700
701 return ldb_next_request(module, down_req);
702 }
703
704 static int rootdse_register_control(struct ldb_module *module, struct ldb_request *req)
705 {
706 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
707 char **list;
708
709 list = talloc_realloc(priv, priv->controls, char *, priv->num_controls + 1);
710 if (!list) {
711 return ldb_oom(ldb_module_get_ctx(module));
712 }
713
714 list[priv->num_controls] = talloc_strdup(list, req->op.reg_control.oid);
715 if (!list[priv->num_controls]) {
716 return ldb_oom(ldb_module_get_ctx(module));
717 }
718
719 priv->num_controls += 1;
720 priv->controls = list;
721
722 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
723 }
724
725 static int rootdse_register_partition(struct ldb_module *module, struct ldb_request *req)
726 {
727 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
728 struct ldb_dn **list;
729
730 list = talloc_realloc(priv, priv->partitions, struct ldb_dn *, priv->num_partitions + 1);
731 if (!list) {
732 return ldb_oom(ldb_module_get_ctx(module));
733 }
734
735 list[priv->num_partitions] = ldb_dn_copy(list, req->op.reg_partition.dn);
736 if (!list[priv->num_partitions]) {
737 return ldb_operr(ldb_module_get_ctx(module));
738 }
739
740 priv->num_partitions += 1;
741 priv->partitions = list;
742
743 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
744 }
745
746
747 static int rootdse_request(struct ldb_module *module, struct ldb_request *req)
748 {
749 switch (req->operation) {
750
751 case LDB_REQ_REGISTER_CONTROL:
752 return rootdse_register_control(module, req);
753 case LDB_REQ_REGISTER_PARTITION:
754 return rootdse_register_partition(module, req);
755
756 default:
757 break;
758 }
759 return ldb_next_request(module, req);
760 }
761
762 static int rootdse_init(struct ldb_module *module)
763 {
764 int ret;
765 struct ldb_context *ldb;
766 struct ldb_result *res;
767 struct private_data *data;
768 const char *attrs[] = { "msDS-Behavior-Version", NULL };
769 const char *ds_attrs[] = { "dsServiceName", NULL };
770 TALLOC_CTX *mem_ctx;
771
772 ldb = ldb_module_get_ctx(module);
773
774 data = talloc_zero(module, struct private_data);
775 if (data == NULL) {
776 return ldb_oom(ldb);
777 }
778
779 data->num_controls = 0;
780 data->controls = NULL;
781 data->num_partitions = 0;
782 data->partitions = NULL;
783 data->block_anonymous = true;
784
785 ldb_module_set_private(module, data);
786
787 ldb_set_default_dns(ldb);
788
789 ret = ldb_next_init(module);
790
791 if (ret != LDB_SUCCESS) {
792 return ret;
793 }
794
795 mem_ctx = talloc_new(data);
796 if (!mem_ctx) {
797 return ldb_oom(ldb);
798 }
799
800 /* Now that the partitions are set up, do a search for:
801 - domainControllerFunctionality
802 - domainFunctionality
803 - forestFunctionality
804
805 Then stuff these values into an opaque
806 */
807 ret = dsdb_module_search(module, mem_ctx, &res,
808 ldb_get_default_basedn(ldb),
809 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
810 if (ret == LDB_SUCCESS && res->count == 1) {
811 int domain_behaviour_version
812 = ldb_msg_find_attr_as_int(res->msgs[0],
813 "msDS-Behavior-Version", -1);
814 if (domain_behaviour_version != -1) {
815 int *val = talloc(ldb, int);
816 if (!val) {
817 talloc_free(mem_ctx);
818 return ldb_oom(ldb);
819 }
820 *val = domain_behaviour_version;
821 ret = ldb_set_opaque(ldb, "domainFunctionality", val);
822 if (ret != LDB_SUCCESS) {
823 talloc_free(mem_ctx);
824 return ret;
825 }
826 }
827 }
828
829 ret = dsdb_module_search(module, mem_ctx, &res,
830 samdb_partitions_dn(ldb, mem_ctx),
831 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
832 if (ret == LDB_SUCCESS && res->count == 1) {
833 int forest_behaviour_version
834 = ldb_msg_find_attr_as_int(res->msgs[0],
835 "msDS-Behavior-Version", -1);
836 if (forest_behaviour_version != -1) {
837 int *val = talloc(ldb, int);
838 if (!val) {
839 talloc_free(mem_ctx);
840 return ldb_oom(ldb);
841 }
842 *val = forest_behaviour_version;
843 ret = ldb_set_opaque(ldb, "forestFunctionality", val);
844 if (ret != LDB_SUCCESS) {
845 talloc_free(mem_ctx);
846 return ret;
847 }
848 }
849 }
850
851 /* For now, our own server's location in the DB is recorded in
852 * the @ROOTDSE record */
853 ret = dsdb_module_search(module, mem_ctx, &res,
854 ldb_dn_new(mem_ctx, ldb, "@ROOTDSE"),
855 LDB_SCOPE_BASE, ds_attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
856 if (ret == LDB_SUCCESS && res->count == 1) {
857 struct ldb_dn *ds_dn
858 = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0],
859 "dsServiceName");
860 if (ds_dn) {
861 ret = dsdb_module_search(module, mem_ctx, &res, ds_dn,
862 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
863 if (ret == LDB_SUCCESS && res->count == 1) {
864 int domain_controller_behaviour_version
865 = ldb_msg_find_attr_as_int(res->msgs[0],
866 "msDS-Behavior-Version", -1);
867 if (domain_controller_behaviour_version != -1) {
868 int *val = talloc(ldb, int);
869 if (!val) {
870 talloc_free(mem_ctx);
871 return ldb_oom(ldb);
872 }
873 *val = domain_controller_behaviour_version;
874 ret = ldb_set_opaque(ldb,
875 "domainControllerFunctionality", val);
876 if (ret != LDB_SUCCESS) {
877 talloc_free(mem_ctx);
878 return ret;
879 }
880 }
881 }
882 }
883 }
884
885 data->block_anonymous = dsdb_block_anonymous_ops(module, NULL);
886
887 talloc_free(mem_ctx);
888
889 return LDB_SUCCESS;
890 }
891
892 /*
893 * This function gets the string SCOPE_DN:OPTIONAL_FEATURE_GUID and parse it
894 * to a DN and a GUID object
895 */
896 static int get_optional_feature_dn_guid(struct ldb_request *req, struct ldb_context *ldb,
897 TALLOC_CTX *mem_ctx,
898 struct ldb_dn **op_feature_scope_dn,
899 struct GUID *op_feature_guid)
900 {
901 const struct ldb_message *msg = req->op.mod.message;
902 const char *ldb_val_str;
903 char *dn, *guid;
904 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
905 NTSTATUS status;
906
907 ldb_val_str = ldb_msg_find_attr_as_string(msg, "enableOptionalFeature", NULL);
908 if (!ldb_val_str) {
909 ldb_set_errstring(ldb,
910 "rootdse: unable to find 'enableOptionalFeature'!");
911 return LDB_ERR_UNWILLING_TO_PERFORM;
912 }
913
914 guid = strchr(ldb_val_str, ':');
915 if (!guid) {
916 ldb_set_errstring(ldb,
917 "rootdse: unable to find GUID in 'enableOptionalFeature'!");
918 return LDB_ERR_UNWILLING_TO_PERFORM;
919 }
920 status = GUID_from_string(guid+1, op_feature_guid);
921 if (!NT_STATUS_IS_OK(status)) {
922 ldb_set_errstring(ldb,
923 "rootdse: bad GUID in 'enableOptionalFeature'!");
924 return LDB_ERR_UNWILLING_TO_PERFORM;
925 }
926
927 dn = talloc_strndup(tmp_ctx, ldb_val_str, guid-ldb_val_str);
928 if (!dn) {
929 ldb_set_errstring(ldb,
930 "rootdse: bad DN in 'enableOptionalFeature'!");
931 return LDB_ERR_UNWILLING_TO_PERFORM;
932 }
933
934 *op_feature_scope_dn = ldb_dn_new(mem_ctx, ldb, dn);
935
936 talloc_free(tmp_ctx);
937 return LDB_SUCCESS;
938 }
939
940 /*
941 * This function gets the OPTIONAL_FEATURE_GUID and looks for the optional feature
942 * ldb_message object.
943 */
944 static int dsdb_find_optional_feature(struct ldb_module *module, struct ldb_context *ldb,
945 TALLOC_CTX *mem_ctx, struct GUID op_feature_guid, struct ldb_message **msg,
946 struct ldb_request *parent)
947 {
948 struct ldb_result *res;
949 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
950 int ret;
951
952 ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
953 NULL,
954 DSDB_FLAG_NEXT_MODULE |
955 DSDB_SEARCH_SEARCH_ALL_PARTITIONS,
956 parent,
957 "(&(objectClass=msDS-OptionalFeature)"
958 "(msDS-OptionalFeatureGUID=%s))",GUID_string(tmp_ctx, &op_feature_guid));
959
960 if (ret != LDB_SUCCESS) {
961 talloc_free(tmp_ctx);
962 return ret;
963 }
964 if (res->count == 0) {
965 talloc_free(tmp_ctx);
966 return LDB_ERR_NO_SUCH_OBJECT;
967 }
968 if (res->count != 1) {
969 ldb_asprintf_errstring(ldb,
970 "More than one object found matching optional feature GUID %s\n",
971 GUID_string(tmp_ctx, &op_feature_guid));
972 talloc_free(tmp_ctx);
973 return LDB_ERR_OPERATIONS_ERROR;
974 }
975
976 *msg = talloc_steal(mem_ctx, res->msgs[0]);
977
978 talloc_free(tmp_ctx);
979 return LDB_SUCCESS;
980 }
981
982 static int rootdse_enable_recycle_bin(struct ldb_module *module,struct ldb_context *ldb,
983 TALLOC_CTX *mem_ctx, struct ldb_dn *op_feature_scope_dn,
984 struct ldb_message *op_feature_msg, struct ldb_request *parent)
985 {
986 int ret;
987 const int domain_func_level = dsdb_functional_level(ldb);
988 struct ldb_dn *ntds_settings_dn;
989 TALLOC_CTX *tmp_ctx;
990 unsigned int el_count = 0;
991 struct ldb_message *msg;
992
993 ret = ldb_msg_find_attr_as_int(op_feature_msg, "msDS-RequiredForestBehaviorVersion", 0);
994 if (domain_func_level < ret){
995 ldb_asprintf_errstring(ldb,
996 "rootdse_enable_recycle_bin: Domain functional level must be at least %d\n",
997 ret);
998 return LDB_ERR_UNWILLING_TO_PERFORM;
999 }
1000
1001 tmp_ctx = talloc_new(mem_ctx);
1002 ntds_settings_dn = samdb_ntds_settings_dn(ldb);
1003 if (!ntds_settings_dn) {
1004 talloc_free(tmp_ctx);
1005 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "Failed to find NTDS settings DN");
1006 }
1007
1008 ntds_settings_dn = ldb_dn_copy(tmp_ctx, ntds_settings_dn);
1009 if (!ntds_settings_dn) {
1010 talloc_free(tmp_ctx);
1011 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "Failed to copy NTDS settings DN");
1012 }
1013
1014 msg = ldb_msg_new(tmp_ctx);
1015 msg->dn = ntds_settings_dn;
1016
1017 ldb_msg_add_linearized_dn(msg, "msDS-EnabledFeature", op_feature_msg->dn);
1018 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
1019
1020 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1021 if (ret != LDB_SUCCESS) {
1022 ldb_asprintf_errstring(ldb,
1023 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1024 ldb_dn_get_linearized(ntds_settings_dn),
1025 ldb_errstring(ldb));
1026 talloc_free(tmp_ctx);
1027 return ret;
1028 }
1029
1030 msg->dn = op_feature_scope_dn;
1031 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1032 if (ret != LDB_SUCCESS) {
1033 ldb_asprintf_errstring(ldb,
1034 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1035 ldb_dn_get_linearized(op_feature_scope_dn),
1036 ldb_errstring(ldb));
1037 talloc_free(tmp_ctx);
1038 return ret;
1039 }
1040
1041 return LDB_SUCCESS;
1042 }
1043
1044 static int rootdse_enableoptionalfeature(struct ldb_module *module, struct ldb_request *req)
1045 {
1046 /*
1047 steps:
1048 - check for system (only system can enable features)
1049 - extract GUID from the request
1050 - find the feature object
1051 - check functional level, must be at least msDS-RequiredForestBehaviorVersion
1052 - check if it is already enabled (if enabled return LDAP_ATTRIBUTE_OR_VALUE_EXISTS) - probably not needed, just return error from the add/modify
1053 - add/modify objects (see ntdsconnection code for an example)
1054 */
1055
1056 struct ldb_context *ldb = ldb_module_get_ctx(module);
1057 struct GUID op_feature_guid;
1058 struct ldb_dn *op_feature_scope_dn;
1059 struct ldb_message *op_feature_msg;
1060 struct auth_session_info *session_info =
1061 (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
1062 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
1063 int ret;
1064 const char *guid_string;
1065
1066 if (security_session_user_level(session_info, NULL) != SECURITY_SYSTEM) {
1067 ldb_set_errstring(ldb, "rootdse: Insufficient rights for enableoptionalfeature");
1068 return LDB_ERR_UNWILLING_TO_PERFORM;
1069 }
1070
1071 ret = get_optional_feature_dn_guid(req, ldb, tmp_ctx, &op_feature_scope_dn, &op_feature_guid);
1072 if (ret != LDB_SUCCESS) {
1073 talloc_free(tmp_ctx);
1074 return ret;
1075 }
1076
1077 guid_string = GUID_string(tmp_ctx, &op_feature_guid);
1078 if (!guid_string) {
1079 ldb_set_errstring(ldb, "rootdse: bad optional feature GUID");
1080 return LDB_ERR_UNWILLING_TO_PERFORM;
1081 }
1082
1083 ret = dsdb_find_optional_feature(module, ldb, tmp_ctx, op_feature_guid, &op_feature_msg, req);
1084 if (ret != LDB_SUCCESS) {
1085 ldb_asprintf_errstring(ldb,
1086 "rootdse: unable to find optional feature for %s - %s",
1087 guid_string, ldb_errstring(ldb));
1088 talloc_free(tmp_ctx);
1089 return ret;
1090 }
1091
1092 if (strcasecmp(DS_GUID_FEATURE_RECYCLE_BIN, guid_string) == 0) {
1093 ret = rootdse_enable_recycle_bin(module, ldb,
1094 tmp_ctx, op_feature_scope_dn,
1095 op_feature_msg, req);
1096 } else {
1097 ldb_asprintf_errstring(ldb,
1098 "rootdse: unknown optional feature %s",
1099 guid_string);
1100 talloc_free(tmp_ctx);
1101 return LDB_ERR_UNWILLING_TO_PERFORM;
1102 }
1103 if (ret != LDB_SUCCESS) {
1104 ldb_asprintf_errstring(ldb,
1105 "rootdse: failed to set optional feature for %s - %s",
1106 guid_string, ldb_errstring(ldb));
1107 talloc_free(tmp_ctx);
1108 return ret;
1109 }
1110
1111 talloc_free(tmp_ctx);
1112 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);;
1113 }
1114
1115 static int rootdse_schemaupdatenow(struct ldb_module *module, struct ldb_request *req)
1116 {
1117 struct ldb_context *ldb = ldb_module_get_ctx(module);
1118 struct ldb_result *ext_res;
1119 int ret;
1120 struct ldb_dn *schema_dn;
1121
1122 schema_dn = ldb_get_schema_basedn(ldb);
1123 if (!schema_dn) {
1124 ldb_reset_err_string(ldb);
1125 ldb_debug(ldb, LDB_DEBUG_WARNING,
1126 "rootdse_modify: no schema dn present: (skip ldb_extended call)\n");
1127 return ldb_next_request(module, req);
1128 }
1129
1130 ret = ldb_extended(ldb, DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID, schema_dn, &ext_res);
1131 if (ret != LDB_SUCCESS) {
1132 return ldb_operr(ldb);
1133 }
1134
1135 talloc_free(ext_res);
1136 return ldb_module_done(req, NULL, NULL, ret);
1137 }
1138
1139 static int rootdse_add(struct ldb_module *module, struct ldb_request *req)
1140 {
1141 struct ldb_context *ldb = ldb_module_get_ctx(module);
1142 int ret;
1143
1144 ret = rootdse_filter_operations(module, req);
1145 if (ret != LDB_SUCCESS) {
1146 return ret;
1147 }
1148
1149 ret = rootdse_filter_controls(module, req);
1150 if (ret != LDB_SUCCESS) {
1151 return ret;
1152 }
1153
1154 /*
1155 If dn is not "" we should let it pass through
1156 */
1157 if (!ldb_dn_is_null(req->op.add.message->dn)) {
1158 return ldb_next_request(module, req);
1159 }
1160
1161 ldb_set_errstring(ldb, "rootdse_add: you cannot add a new rootdse entry!");
1162 return LDB_ERR_NAMING_VIOLATION;
1163 }
1164
1165 struct fsmo_transfer_state {
1166 struct ldb_context *ldb;
1167 struct ldb_request *req;
1168 };
1169
1170 /*
1171 called when a FSMO transfer operation has completed
1172 */
1173 static void rootdse_fsmo_transfer_callback(struct tevent_req *treq)
1174 {
1175 struct fsmo_transfer_state *fsmo = tevent_req_callback_data(treq, struct fsmo_transfer_state);
1176 NTSTATUS status;
1177 WERROR werr;
1178 struct ldb_request *req = fsmo->req;
1179 struct ldb_context *ldb = fsmo->ldb;
1180
1181 status = dcerpc_drepl_takeFSMORole_recv(treq, fsmo, &werr);
1182 talloc_free(fsmo);
1183 if (!NT_STATUS_IS_OK(status)) {
1184 ldb_asprintf_errstring(ldb, "Failed FSMO transfer: %s", nt_errstr(status));
1185 ldb_module_done(req, NULL, NULL, LDB_ERR_UNAVAILABLE);
1186 return;
1187 }
1188 if (!W_ERROR_IS_OK(werr)) {
1189 ldb_asprintf_errstring(ldb, "Failed FSMO transfer: %s", win_errstr(werr));
1190 ldb_module_done(req, NULL, NULL, LDB_ERR_UNAVAILABLE);
1191 return;
1192 }
1193
1194 ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1195 }
1196
1197 static int rootdse_become_master(struct ldb_module *module,
1198 struct ldb_request *req,
1199 enum drepl_role_master role)
1200 {
1201 struct imessaging_context *msg;
1202 struct ldb_context *ldb = ldb_module_get_ctx(module);
1203 TALLOC_CTX *tmp_ctx = talloc_new(req);
1204 struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
1205 bool am_rodc;
1206 struct dcerpc_binding_handle *irpc_handle;
1207 int ret;
1208 struct auth_session_info *session_info;
1209 enum security_user_level level;
1210 struct fsmo_transfer_state *fsmo;
1211 struct tevent_req *treq;
1212
1213 session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
1214 level = security_session_user_level(session_info, NULL);
1215 if (level < SECURITY_ADMINISTRATOR) {
1216 return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS, "Denied rootDSE modify for non-administrator");
1217 }
1218
1219 ret = samdb_rodc(ldb, &am_rodc);
1220 if (ret != LDB_SUCCESS) {
1221 return ldb_error(ldb, ret, "Could not determine if server is RODC.");
1222 }
1223
1224 if (am_rodc) {
1225 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM,
1226 "RODC cannot become a role master.");
1227 }
1228
1229 msg = imessaging_client_init(tmp_ctx, lpcfg_imessaging_path(tmp_ctx, lp_ctx),
1230 ldb_get_event_context(ldb));
1231 if (!msg) {
1232 ldb_asprintf_errstring(ldb, "Failed to generate client messaging context in %s", lpcfg_imessaging_path(tmp_ctx, lp_ctx));
1233 return LDB_ERR_OPERATIONS_ERROR;
1234 }
1235 irpc_handle = irpc_binding_handle_by_name(tmp_ctx, msg,
1236 "dreplsrv",
1237 &ndr_table_irpc);
1238 if (irpc_handle == NULL) {
1239 return ldb_oom(ldb);
1240 }
1241 fsmo = talloc_zero(req, struct fsmo_transfer_state);
1242 if (fsmo == NULL) {
1243 return ldb_oom(ldb);
1244 }
1245 fsmo->ldb = ldb;
1246 fsmo->req = req;
1247
1248 /* we send the call asynchronously, as the ldap client is
1249 * expecting to get an error back if the role transfer fails
1250 */
1251
1252 treq = dcerpc_drepl_takeFSMORole_send(req, ldb_get_event_context(ldb), irpc_handle, role);
1253 if (treq == NULL) {
1254 return ldb_oom(ldb);
1255 }
1256
1257 tevent_req_set_callback(treq, rootdse_fsmo_transfer_callback, fsmo);
1258 return LDB_SUCCESS;
1259 }
1260
1261 static int rootdse_modify(struct ldb_module *module, struct ldb_request *req)
1262 {
1263 struct ldb_context *ldb = ldb_module_get_ctx(module);
1264 int ret;
1265
1266 ret = rootdse_filter_operations(module, req);
1267 if (ret != LDB_SUCCESS) {
1268 return ret;
1269 }
1270
1271 ret = rootdse_filter_controls(module, req);
1272 if (ret != LDB_SUCCESS) {
1273 return ret;
1274 }
1275
1276 /*
1277 If dn is not "" we should let it pass through
1278 */
1279 if (!ldb_dn_is_null(req->op.mod.message->dn)) {
1280 return ldb_next_request(module, req);
1281 }
1282
1283 /*
1284 dn is empty so check for schemaUpdateNow attribute
1285 "The type of modification and values specified in the LDAP modify operation do not matter." MSDN
1286 */
1287 if (ldb_msg_find_element(req->op.mod.message, "schemaUpdateNow")) {
1288 return rootdse_schemaupdatenow(module, req);
1289 }
1290 if (ldb_msg_find_element(req->op.mod.message, "becomeDomainMaster")) {
1291 return rootdse_become_master(module, req, DREPL_NAMING_MASTER);
1292 }
1293 if (ldb_msg_find_element(req->op.mod.message, "becomeInfrastructureMaster")) {
1294 return rootdse_become_master(module, req, DREPL_INFRASTRUCTURE_MASTER);
1295 }
1296 if (ldb_msg_find_element(req->op.mod.message, "becomeRidMaster")) {
1297 return rootdse_become_master(module, req, DREPL_RID_MASTER);
1298 }
1299 if (ldb_msg_find_element(req->op.mod.message, "becomeSchemaMaster")) {
1300 return rootdse_become_master(module, req, DREPL_SCHEMA_MASTER);
1301 }
1302 if (ldb_msg_find_element(req->op.mod.message, "becomePdc")) {
1303 return rootdse_become_master(module, req, DREPL_PDC_MASTER);
1304 }
1305 if (ldb_msg_find_element(req->op.mod.message, "enableOptionalFeature")) {
1306 return rootdse_enableoptionalfeature(module, req);
1307 }
1308
1309 ldb_set_errstring(ldb, "rootdse_modify: unknown attribute to change!");
1310 return LDB_ERR_UNWILLING_TO_PERFORM;
1311 }
1312
1313 static int rootdse_rename(struct ldb_module *module, struct ldb_request *req)
1314 {
1315 struct ldb_context *ldb = ldb_module_get_ctx(module);
1316 int ret;
1317
1318 ret = rootdse_filter_operations(module, req);
1319 if (ret != LDB_SUCCESS) {
1320 return ret;
1321 }
1322
1323 ret = rootdse_filter_controls(module, req);
1324 if (ret != LDB_SUCCESS) {
1325 return ret;
1326 }
1327
1328 /*
1329 If dn is not "" we should let it pass through
1330 */
1331 if (!ldb_dn_is_null(req->op.rename.olddn)) {
1332 return ldb_next_request(module, req);
1333 }
1334
1335 ldb_set_errstring(ldb, "rootdse_remove: you cannot rename the rootdse entry!");
1336 return LDB_ERR_NO_SUCH_OBJECT;
1337 }
1338
1339 static int rootdse_delete(struct ldb_module *module, struct ldb_request *req)
1340 {
1341 struct ldb_context *ldb = ldb_module_get_ctx(module);
1342 int ret;
1343
1344 ret = rootdse_filter_operations(module, req);
1345 if (ret != LDB_SUCCESS) {
1346 return ret;
1347 }
1348
1349 ret = rootdse_filter_controls(module, req);
1350 if (ret != LDB_SUCCESS) {
1351 return ret;
1352 }
1353
1354 /*
1355 If dn is not "" we should let it pass through
1356 */
1357 if (!ldb_dn_is_null(req->op.del.dn)) {
1358 return ldb_next_request(module, req);
1359 }
1360
1361 ldb_set_errstring(ldb, "rootdse_remove: you cannot delete the rootdse entry!");
1362 return LDB_ERR_NO_SUCH_OBJECT;
1363 }
1364
1365 static int rootdse_extended(struct ldb_module *module, struct ldb_request *req)
1366 {
1367 int ret;
1368
1369 ret = rootdse_filter_operations(module, req);
1370 if (ret != LDB_SUCCESS) {
1371 return ret;
1372 }
1373
1374 ret = rootdse_filter_controls(module, req);
1375 if (ret != LDB_SUCCESS) {
1376 return ret;
1377 }
1378
1379 return ldb_next_request(module, req);
1380 }
1381
1382 static const struct ldb_module_ops ldb_rootdse_module_ops = {
1383 .name = "rootdse",
1384 .init_context = rootdse_init,
1385 .search = rootdse_search,
1386 .request = rootdse_request,
1387 .add = rootdse_add,
1388 .modify = rootdse_modify,
1389 .rename = rootdse_rename,
1390 .extended = rootdse_extended,
1391 .del = rootdse_delete
1392 };
1393
1394 int ldb_rootdse_module_init(const char *version)
1395 {
1396 LDB_MODULE_CHECK_VERSION(version);
1397 return ldb_register_module(&ldb_rootdse_module_ops);
1398 }
WIP